On 04/04/2016 06:17 AM, tilt! wrote:

> Am 04.04.2016 um 04:54 schrieb fsmithred:
>>    session optional pam_umask.so umask=0022"

>
> Add such customization to
>

>    /etc/pam.d/common-session

>
> instead. The statement should appear after the end of the block that is
> automatically updated by "pam-auth-update", i.e. it should follow the line
>

>    # end of pam-auth-update config

>
> I tested the statement
>

>    session optional pam_umask.so umask=0027

>
> and it gives me the expected result.
>
> See /etc/pam.d/common-session and pam-auth-update(8) for more details

I'm getting a bit uncomfortable about starting this thread, because upon
reflection, it seems that one consequence of setting the system-wide may
be that the 027 umask will end up having some system account creating a
file that should be world-readable or world-executable, but because of
the umask, it now would not be, and so would break stuff. My intent was
to protect data of one user from other users, which could be done by
making the change in .profile or even in the default .bashrc.

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0